- Ethical & Legal Considerations of Hacking
- Ethics of Hacking
- Legal Considerations and Implications of Unethical Hacking
- Laws Protecting Against Illegal Hacking and Cybercrime
- Computer Fraud and Abuse Act (CFAA)
- Electronic Communication Privacy Act (ECPA)
- General Data Protection Regulation (GDPR)
- Information Technology Act (ITA)
- National Cybersecurity Law (NCL)
- Data Protection Act (DPA)
- Federal Information Security Modernization Act (FISMA)
- Personal Data Protection Bill – 2018
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- What To Do If Accused of Unauthorized Hacking
Ethical & Legal Considerations of Hacking
Hacking is a term that is often associated with illegal activities with malicious intent. However, in the world of technology and information security, hacking can also refer to the legitimate practice of discovering and exploiting vulnerabilities in a system for the purpose of improving its security.
The consequences of unethical or illegal hacking can be severe and far-reaching. Unethical hacking does not only negatively impact the target system but also puts the hacker in a legally unsafe place.
This post will provide an overview of the ethics and legal implications of hacking. I will also provide details of laws in various jurisdictions covering unethical hacking.
Towards the end, I will discuss what to do if accused of unauthorized or illegal hacking.
Read our article on what hacking is and the different types of hacking.
Ethics of Hacking
What is the definition of Ethics? Ethics are a set of moral principles or conduct governing an individual or a group.
The ethics of hacking is what determines the responsibility of the hacker and the impact of their actions on others entities, such as persons or companies. When it comes to ethical hacking, the primary consideration is respect for the access, property, privacy and security of others. This basically translates to that a hacker should not use their skills to access or manipulate information and systems without proper and prior authorization.
Getting prior consent is an important requirement of ethical hacking. Before executing actual hacking activities, it is important to obtain authorization to allow the hacking of a specific system. This is to ensure that the target is aware of the actions and intended or unintended consequences.
Hackers have a responsibility to act with integrity and professionalism, using their skills for positive purposes such as improving security and preventing cybercrime. This includes avoiding activities such as stealing personal data, spreading malware, or disrupting services.
Note: Information discovered during ethical hacking should be guarded and not disclosed publicly.
Check out my post on what hacking is and the different types of hacking activities that can be classified either as ethical or unethical depending on how and why they are conducted.
Legal Considerations and Implications of Unethical Hacking
The legal considerations of hacking determine the consequences of the illegal or unethical actions of a hacker. In most countries, hacking is illegal and can result in significant legal consequences for those who engage in unauthorized activities.
In the United States, Computer crime laws, such as the Computer Fraud and Abuse Act, prohibit unauthorized access to computer systems and the theft of sensitive information. When hacking is done without proper authorization it is considered illegal and can result in criminal charges and significant fines.
In addition, there are also potential liabilities under civil law. This means that individuals or organizations can be held financially responsible for damages caused by unauthorized access to their systems.
Read about the process of getting permission for safe hacking access.
Laws Protecting Against Illegal Hacking and Cybercrime
Illegal hacking and cybercrime are becoming increasingly prevalent as the use of digital devices connected to the internet keeps going up. With this, the need of maintaining privacy and security has gone up as well. Therefore, many countries have enacted laws to protect against these types of criminal activities.
Following is a brief list of some of the most common laws from around the world:
Computer Fraud and Abuse Act (CFAA)
Country: United States – 1986
CFAA makes it a federal crime to access a computer without authorization. If authorization is in place, then it is a crime to exceed authorized access. Using this access to commit fraud is also covered under the CFAA act. CFAA has been amended several times over the years to keep up with the evolution of technology and the increasing threat of cybercrime.
Read the actual act here.
Electronic Communication Privacy Act (ECPA)
Country: United States – 1986
Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act are commonly referred to as ECPA. ECPA updated the Federal Wiretap Act of 1968 by adding computer and other digital network interception. Originally FWA covered communication over hard lines, such as over a telephone connection.
The ECPA, enacted in the United States, protects the privacy of electronic communications and prohibits unauthorized access to stored electronic communications. This law applies to email, instant messaging, and other forms of electronic communication.
- Title 1, The Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” Illegally obtained communications are also prohibited from use.
- Title 2, Stored Communications Act (SCA), protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses.
- Title 3, addresses pen register and trap and trace devices. It requires government entities to obtain a court order authorizing the installation and use of a pen register (a device that captures the dialed numbers and related information to which outgoing calls or communications are made by the subject) and/or a trap and trace (a device that captures the numbers and related information from which incoming calls and communications coming to the subject have originated).
Read the actual act here.
General Data Protection Regulation (GDPR)
Country/Region: European Union – 2018
The General Data Protection Regulation (GDPR) is one of the toughest privacy and security law in the world. It imposes obligations not only on the countries within the European Union but also onto organizations anywhere, so long as they target or collect data related to people in the EU.
If you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. It covers data accountability, security and protection.
Significant provisions are made in GDPR regarding people’s privacy right.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Article 6, limits what types of processing you are allowed on the data collection by a business.
GDPR is much more comprehensive with more clear requirements than most of the other Act, Laws and Ordinances.
Read the actual act here.
Information Technology Act (ITA)
Country: India – 2000
ITA provides legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce‖, which involves the use of alternatives to paper-based methods of communication and storage of information.
ITA covers all communication devices, including cell phones, personal digital assistance or a combination of both or any other device used to communicate, send or transmit any text, video, audio or image. Computers, systems and networks are also covered under this ITA.
The Act criminalizes unauthorized access and unauthorized interception of electronic communications, and other types of cybercrime.
Read the actual act here.
National Cybersecurity Law (NCL)
Country: China – 2016
NCL was enacted in 2017 and requires companies to store personal data within China and to provide the government with access to that data when requested. NCL also requires companies to implement measures to prevent cyberattacks and to assist the government in investigating cybercrime.
The NCL law,
- Creates the principle of cyberspace sovereignty
- defines the security obligations of internet products and services providers,
- details the obligations of Internet Service Providers.
- refines rules surrounding personal information protection,
- establishes a security system for public key information infrastructure,
- and institutes rules for the transnational transmission of data from critical information infrastructures.
NCL is applicable to network operators and businesses in critical sectors. Following is a list of sectors considered critical.
- Financial Services
- Power Generation & Distribution
As per Wikipedia, Articles 28 (network operators), 35 (buyers of foreign hardware or software), and 37 (data localization) are the most controversial sections of NCL.
NCL provides regulations and definitions of legal liability. NCL sets a variety of punishments, such as fines, suspension for rectification, and revocation of permits and business licenses, among others.
The Law accordingly grants cybersecurity and administration authorities with rights and guidelines to carry out law enforcement on breaking or circumventing this laws.
Read details on the law here.
Data Protection Act (DPA)
Country: United Kingdom – 2018
DPA requires organizations to process personal data in accordance with the following principles.
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage
Under DPA, you have the right to find out what information the government and other organizations store about you. These include the right to:
- know about how your data is being used.
- The ability to access personal data.
- In case of errors, have the ability to correct such data.
- Get data erased.
- Stop or restrict the processing and distribution of your data.
- Data portability: Allows a person to obtain their data and use it for additional services.
- Object to how your data is processed in certain circumstances.
Read details on the act here.
Federal Information Security Modernization Act (FISMA)
Country: United States – 2002
FISMA originally enacted in 2002, has gone over 10 revisions since 2014. It requires federal agencies to implement information security programs to protect their information systems and the information they store.
FISMA requires agencies to conduct regular risk assessments and to implement security controls to address identified risks. It also adds the following policies and practices:
- Authorizes DHS to provide operational and technical assistance to other federal Executive Branch civilian agencies at the agency’s request.
- Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law.
- Authorizes DHS technology deployments to other agencies’ networks (upon those agencies’ request).
- Directs Office of management and budget (OMB) to revise policies regarding notification of individuals affected by federal agency data breaches.
- Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually.
- Simplify existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents.
Read details on the act here.
Personal Data Protection Bill – 2018
Country: India – 2018
Personal Data Protection Bill (PDP) gives the right to privacy as a fundamental right and necessitates the protection of personal data as an essential facet of informational privacy.
It covers the collection, storage, and processing of personal data by organizations. The Bill gives individuals the right to access, correct, and delete their personal data, and it also imposes penalties on organizations that violate the law.
Following data protection obligations are required under PDP:
- Any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.
- Personal data shall be processed only for purposes that are clear, specific and lawful.
- Collection of personal data shall be limited to such data that is necessary for the purposes of processing.
- Lawful processing as defined in Chapter III and Chapter IV of the Bill.
- Notice: The data fiduciary shall provide the data principal with the following:
- Purpose of use of data.
- Type of information being collected.
- Identify and contact details of data fiduciary and data protection officer.
- The right of the principal to withdraw consent.
- The period for which data shall be retained and used.
- [there are additional requirements….check section 8.1(a-n), 8.2 and 8.3]
- Data quality: The data fiduciary shall take reasonable steps to ensure that the personal data processed is complete, accurate, and not misleading.
- Data storage limitation: The data fiduciary shall retain personal data only as long as may be reasonably necessary
to satisfy the purpose for which it is processed.
- Accountability: The data fiduciary shall be responsible for complying with all obligations set out in the PDP bill.
PDP laws are enforced under the threat of civil (financial) and criminal penalties including jail time.
Read details on the bill here.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Country: Canada – 2000
PIPEDA regulates the collection, use, and disclosure of personal information in the private sector.
Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy and get it updated if inaccurate.
There are some instances where PIPEDA does not apply, such as:
- Personal information handled by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and their agents
- Business contact information such as an employee’s name, title, business address, telephone number or email address that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
- An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
Read details on the act here.
These are just a few examples of the many laws that exist to protect against illegal hacking and cybercrime. As technology keeps evolving and progressing we are faced with additional challenges that at times must be addressed with new legislation.
One more thing to note is that the language used in some of these Acts, Bills and Laws is vague to the extent that it can be misinterpreted intentionally or unintentionally to use against the original spirit of the law.
What To Do If Accused of Unauthorized Hacking
In case you are accused of unauthorized hacking or come under the vast net of cybercrime laws, it is highly suggested that you take the situation seriously and immediately consult a lawyer or other legal representative.
Depending on the country or jurisdiction with a country, there are different ways you can be affected by such accusations.
Listed below are some steps you can take if you find yourself as an accused:
- Stay calm and do not panic: It is easy to make mistakes in handling a situation, especially when one is as serious as this. You should not panic and take a step back and calmly evaluate the accusation and risk against you.
- Contact a lawyer: This should be your first step. Seek legal representation as soon as possible. A lawyer can help you understand the charges against you and guide you through the legal process.
- Gather information: Try to gather as much information as possible about the allegations against you, including any evidence or documentation. This can help you when you move ahead when contesting these charges.
- Fully cooperate with law enforcement: If you are contacted by law enforcement, you should cooperate with their investigation. However, try to avoid making statements that could be used against you. The best option is to have all communications handled through your legal representative.
- Protect your digital assets: If you are accused of unauthorized hacking, secure your digital assets and protect any sensitive information. Do not destroy any information or device.
Hacking is a complex and controversial field that requires careful consideration of both ethical and legal principles. While hacking can be used for malicious purposes, it is a powerful tool for improving the security of systems and networks, when done ethically with consent and authorization.